BlackCat Spoofs Victim Website to Leak Stolen DataRansomware-as-a-Service Group Is a Pioneer in Typosquatting Domains to Spread Leaks
The BlackCat ransomware-as-a-service group is trying out a new pressure tactic for victims to pay extortion: creating a spoofed website on the public internet revealing personal data stolen from its victim.
The group, also known as Alphv, allegedly stole 3.5GB of data from a U.S.-based small accounting firm. All that data is apparently available on the spoofed website, which resolves to a domain name one tiny spelling error away from the accounting firm's legitimate name.
"We created a clearnet site with the stolen data, we hope you enjoy it!" BlackCat wrote on its leak site. The stolen data is also on a file-sharing service whose link is on the leak site.
The data seen by Information Security Media Group appears to belong to the employees and clients of the accounting firm and contains cleartext passwords, employee details, audit reports, tax return details of its clients, driver's licenses and unredacted scans of passports.
As of early Tuesday evening, the spoof website is still online. WHOIS data shows an unnamed party - the registration is private - registered the typosquatted domain on Dec. 22.
BlackCat used a similar method against an Oregon-based luxury spa and resort in a June attack. The group created a typosquatted website with a
.xyz domain on the open internet to display employee and guest records of the spa and resort. At the time, the typosquatted website contained the personal data of 1,534 employees and spending totals of 2,789 named guests (see: BlackCat Extortion Technique: Public Access to Breached Data).
Threat actors invent new strategies all the time, said Brett Callow, a threat analyst at security firm Emsisoft, at the time.
"We've seen them transition from encryption-only attacks to encryption plus exfiltration, and now we're seeing them look for new ways to leverage the exfiltrated data," Callow told ISMG.